PfSense, Cable Modems and VLANs

scilek

When I connect the cable modems to each separate port on my pfSense box, the WAN interfaces that I define can get their DHCP addresses as expected.

But when I define VLANs on one interface and assign them as WAN ports and connect to a smart switch, it works only when just one modem is connected to the switch. When I connect the other two, it fails:

Does anyone have any idea why?

works.png_thumb
![does not work.png](/public/imported_attachments/1/does not work.png)
![does not work.png_thumb](/public/imported_attachments/1/does not work.png_thumb)

jaspras

I have ..alsmost the same configuration (with more modems) but i use a cisco switch. It works like a charm

make sure port 1 is NOT a member of VLAN 12 nor VLAN 13 and goes out untagged
make sure port 2 is NOT a member of VLAN 11 nor VLAN 13 and goes out untagged
make sure port 3 is NOT a member of VLAN 11 nor VLAN 12 and goes out untagged

Make Sure that all Modems are on a different subnet

ie..
10.1.1.1/24
10.1.2.1/24
10.1.3.1/24

witch 3com are you using ?

Derelict

Yeah. No reason that won't work. Check your switch configuration.

chpalmer

Reboot your modems each time you switch interfaces connected to them.

Derelict

You also want to make sure the DHCP clients on the WAN interfaces all reject accepting leases from the modems themselves, otherwise you might end up with multiple interfaces on 192.168.100.0/24 which will, of course, break stuff.

Usually rejecting leases from 192.168.100.1 is sufficient but YMMV (Your Modem May Vary).

scilek

@jaspras:

I have ..alsmost the same configuration (with more modems) but i use a cisco switch. It works like a charm

make sure port 1 is NOT a member of VLAN 12 nor VLAN 13 and goes out untagged
make sure port 2 is NOT a member of VLAN 11 nor VLAN 13 and goes out untagged
make sure port 3 is NOT a member of VLAN 11 nor VLAN 12 and goes out untagged

Make Sure that all Modems are on a different subnet

ie..
10.1.1.1/24
10.1.2.1/24
10.1.3.1/24

witch 3com are you using ?

All modems are on different subnets:
192.168.254.1/24
192.168.253.1/24
192.168.252.1/24

The switch is a 3COM Baseline Switch 2226-SFP Plus.

I also tried the same on an Allied Telesis AT800GS-24 Gigabit Switch. Maybe I was not able to get the configuration right on that one. (There are many issues with the web interface and I was not in a situation where I could look in the manual and type commands.)

Which Cisco are YOU using?
What make are your modems?

scilek

@chpalmer:

Reboot your modems each time you switch interfaces connected to them.

What do you mean?

scilek

@Derelict:

You also want to make sure the DHCP clients on the WAN interfaces all reject accepting leases from the modems themselves, otherwise you might end up with multiple interfaces on 192.168.100.0/24 which will, of course, break stuff.

Usually rejecting leases from 192.168.100.1 is sufficient but YMMV (Your Modem May Vary).

DHCP is disabled on all modems and all are in bridge mode. But strangely, Netmaster modems sometimes still gives the WAN interface the IP "192.168.100.10"

Derelict

Exactly. You need to reject those leases.

He means if you change the configuration of a cable modem, such as it seeing a new WAN MAC address, reboot the cable modem.

Actually, if the ISP DHCP server is assigning addresses based on MAC address, all of those interfaces will have the same MAC and that might be an issue. If that is the case, there is nothing pfSense can do there I don't think.

scilek

@Derelict:

Exactly. You need to reject those leases.

He means if you change the configuration of a cable modem, such as it seeing a new WAN MAC address, reboot the cable modem.

Why is the modem still giving the WAN interface an IP that is not even in the same subnet as itself?
And how do I configure my WAN interface to reject those leases in addition to checking the "Block private networks and loopback addresses" ?

Derelict

No. It is on the WAN interface under Reject Leases From.

scilek

@Derelict:

No. It is on the WAN interface under Reject Leases From.

Yeah, my bad… I'm on it now... Configuring from home... I'll go there tomorrow and give it a shot. Thank you very much indeed. Why are cable modem such a pain in the kidney?

chpalmer

What are the model numbers of the cable modems?

Gateway modems will NAT and hand out IP addresses in the private ranges.

Bridge only modems can hand out addresses in the 192.168.100.x range when they are offline but will bridge you to your ISP's DHCP server when online.

Trying to understand what you have but seems like gateways. Who is the ISP?

scilek

@chpalmer:

What are the model numbers of the cable modems?

Gateway modems will NAT and hand out IP addresses in the private ranges.

Bridge only modems can hand out addresses in the 192.168.100.x range when they are offline but will bridge you to your ISP's DHCP server when online.

Trying to understand what you have but seems like gateways. Who is the ISP?

The cable modems are Netmaster Infinity v401s. They are all in bridge mode. The ISP is Türksat.

scilek

@Derelict:

You also want to make sure the DHCP clients on the WAN interfaces all reject accepting leases from the modems themselves, otherwise you might end up with multiple interfaces on 192.168.100.0/24 which will, of course, break stuff.

Usually rejecting leases from 192.168.100.1 is sufficient but YMMV (Your Modem May Vary).

I configured the ports to reject leases from 192.168.100.1 and the modems' IPs, I spoofed MACs and tried again.

First I shut down the pfSense router. Then I turn on the modems. I wait for them to become online. Then I turn on the router. It boots up like normal. It obtains valid IPs from each modem. It works fine for a minute. Then two of the WAN interfaces lose their IPs ("n/a" or "0.0.0.0").

I think it is the switch. Should I put the ports in trunk mode?

Also, what make and/or model of switch would you recommend for this kind of configuration?

Derelict

You cannot spoof the MAC to different MAC addresses for each VLAN on an interface. The interface itself sets the MAC address and the VLANs just use that. I think the problem might be that the ISP is seeing the same MAC address on all three interfaces. It is perfectly "legal" and the expected way to behave, but cable modems/ISPs might care about that.

If it worked on three physical interfaces and doesn't work now, there is not much else it could be.

A call to them and an attempt to get someone who might know what you're talking about is probably in order.

scilek

@Derelict:

You cannot spoof the MAC to different MAC addresses for each VLAN on an interface. The interface itself sets the MAC address and the VLANs just use that. I think the problem might be that the ISP is seeing the same MAC address on all three interfaces. It is perfectly "legal" and the expected way to behave, but cable modems/ISPs might care about that.

If it worked on three physical interfaces and doesn't work now, there is not much else it could be.

A call to them and an attempt to get someone who might know what you're talking about is probably in order.

OK. I'll do that. I'll also try using another switch some other time.